integrating-sast-into-github-actions-pipeline

Featured

This skill covers integrating Static Application Security Testing (SAST) tools—CodeQL and Semgrep—into GitHub Actions CI/CD pipelines. It addresses configuring automated code scanning on pull requests and pushes, tuning rules to reduce false positives, uploading SARIF results to GitHub Advanced Security, and establishing quality gates that block merges when high-severity vulnerabilities are detected.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Integrating SAST into GitHub Actions Pipeline ## When to Use - When development teams need automated code-level vulnerability detection on every pull request - When security teams require consistent SAST enforcement across all repositories in an organization - When migrating from manual or periodic security reviews to continuous security testing - When compliance frameworks (SOC 2, PCI DSS, NIST SSDF) require evidence of automated code analysis - When multiple languages coexist in a monorepo and need unified scanning under one workflow **Do not use** for runtime vulnerability detection (use DAST instead), for scanning third-party dependencies (use SCA tools like Snyk), or for infrastructure-as-code scanning (use Checkov or tfsec). ## Prerequisites - GitHub repository with GitHub Actions enabled - GitHub Advanced Security license (required for CodeQL on private repos; free for public repos) - Semgrep account for managed rules and Semgrep App dashboard (free tier available) - Repository code in a supported language: Python, JavaScript/TypeScript, Java, C/C++, C#, Go, Ruby, Swift, Kotlin ## Workflow ### Step 1: Configure CodeQL Analysis Workflow Create a CodeQL workflow that runs on pull requests and on a weekly schedule to catch vulnerabilities in existing code. ```yaml # .github/workflows/codeql-analysis.yml name: "CodeQL Analysis" on: push: branches: [main, develop] pull_request: branches: [main] schedule: - cron: '30 2 * * 1' # Weekly Monday 2:...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

GitHub · DevTools

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

sast-configuration

Configure Static Application Security Testing (SAST) tools for automated vulnerability detection in application code. Use when setting up security scanning, implementing DevSecOps practices, or automating code vulnerability detection.

36,166 Updated yesterday
wshobson
Testing & QA Listed

sast-configuration

Configure Static Application Security Testing (SAST) tools for automated vulnerability detection in application code. Use when setting up security scanning, implementing DevSecOps practices, or automating code vulnerability detection.

335 Updated today
aiskillstore
AI & Automation Featured

sast-configuration

Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.

39,227 Updated today
sickn33
Testing & QA Featured

sast-configuration

Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.

27,681 Updated today
davila7
AI & Automation Featured

implementing-github-advanced-security-for-code-scanning

Configure GitHub Advanced Security with CodeQL to perform automated static analysis and vulnerability detection across repositories at enterprise scale.

12,642 Updated today
mukul975